profile
viewpoint

pixystone/ant-design 0

:ant: One design language

pixystone/devops 0

Scripts for devops

pixystone/eclipse.jdt.ls 0

Java language server

pixystone/install-to-project-repo 0

A script for installing jars to an in-project Maven repository

pixystone/libpod 0

libpod is a library used to create container pods. Home of Podman.

pixystone/pixystone.github.com 0

Pixy's Blog on GitHub

pixystone/python-language-server 0

An implementation of the Language Server Protocol for Python

pixystone/system-design-primer 0

Learn how to design large-scale systems. Prep for the system design interview. Includes Anki flashcards.

pixystone/WebIDE 0

Coding WebIDE Community Edition

fork pixystone/system-design-primer

Learn how to design large-scale systems. Prep for the system design interview. Includes Anki flashcards.

fork in 2 months

starteddonnemartin/system-design-primer

started time in 2 months

issue commentistio/istio

[upgrade by operator from 1.5.1 to 1.5.4] istio-ingressgateway Envoy is not Ready

The root cause may the same as #25235

pixystone

comment created time in 3 months

issue openedistio/istio

[upgrade by operator from 1.5.1 to 1.5.4] istio-ingressgateway Envoy is not Ready

(NOTE: This is used to report product bugs: To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/ To ask questions about how to use Istio, please visit https://discuss.istio.io )

Bug description

the discovery-address is

--discoveryAddress="istio-pilot.istio-system.svc:15012"

but no svc named istio-pilot in my cluster, it may be chaned to istiod.

$ki get svc
NAME                        TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                                                    AGE
istio-citadel               ClusterIP   None         <none>        8060/TCP,15014/TCP                                         4h39m
istio-ingressgateway        ClusterIP   None         <none>        80/TCP,443/TCP                                             73d
istiod                      ClusterIP   None         <none>        15012/TCP,443/TCP                                          73d
jaeger-agent                ClusterIP   None         <none>        5775/UDP,6831/UDP,6832/UDP                                 73d
jaeger-collector-headless   ClusterIP   None         <none>        14250/TCP                                                  73d
kiali                       ClusterIP   None         <none>        20001/TCP                                                  73d
prometheus                  ClusterIP   None         <none>        9090/TCP                                                   73d

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane

Expected behavior

Steps to reproduce the bug

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)

How was Istio installed?

Environment where bug was observed (cloud vendor, OS, etc)

Additionally, please consider attaching a cluster state archive by attaching the dump file to this issue.

created time in 3 months

issue openedistio/istio

[upgrade by operator from 1.5.1 to 1.5.4] istiod rbac problem: clusterrole is binding a wrong service-account

(NOTE: This is used to report product bugs: To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/ To ask questions about how to use Istio, please visit https://discuss.istio.io )

Bug description

$ kubectl get pod -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
istio-citadel-787c4f9ff7-vb7c4          1/1     Running   0          23d
istio-ingressgateway-6f4564fff9-xmp2c   0/1     Running   0          4h1m
istio-ingressgateway-755bff46bb-sn7hp   1/1     Running   0          73d
istio-tracing-d497b9c9b-kkv4c           1/1     Running   0          73d
istiod-68459f8cf7-g6xf2                 1/1     Running   0          23d
istiod-947f49958-nzrpl                  0/1     Running   0          4h3m
kiali-6bc5c6f578-czrd5                  1/1     Running   0          73d
prometheus-597c595499-8xvzh             1/2     Running   0          23d
prometheus-7d99cfd4fb-hn767             2/2     Running   0          73d
$ kubectl logs istiod-947f49958-nzrpl

2020-07-06T06:28:11.798816Z     error   k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: Failed to list *v1beta1.MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io "istio-sidecar-injector" is forbidden: User "system:serviceaccount:istio-system:istiod-service-account"cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope

the clusterrolebinding config:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: pilot
    operator.istio.io/component: Pilot
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.5.4
    release: istio
  name: istio-pilot-istio-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istio-pilot-istio-system
subjects:
- kind: ServiceAccount
  name: istio-pilot-service-account
  namespace: istio-system

no istiod-service-account binding in subjects

I added istiod-service-account to this clusterrolebinding and fixed it:

subjects:
- kind: ServiceAccount
  name: istio-pilot-service-account
  namespace: istio-system
- kind: ServiceAccount
  name: istiod-service-account   # <--- the missing one
  namespace: istio-system
$ kubectl get pod -n istio-system
NAME                                    READY   STATUS        RESTARTS   AGE
istio-citadel-787c4f9ff7-vb7c4          1/1     Running       0          23d
istio-ingressgateway-6f4564fff9-xmp2c   0/1     Running       0          4h14m
istio-ingressgateway-755bff46bb-sn7hp   1/1     Running       0          73d
istio-tracing-d497b9c9b-kkv4c           1/1     Running       0          73d
istiod-68459f8cf7-g6xf2                 1/1     Terminating   0          23d
istiod-947f49958-nzrpl                  1/1     Running       0          4h15m
kiali-6bc5c6f578-czrd5                  1/1     Running       0          73d
prometheus-597c595499-8xvzh             1/2     Running       0          23d
prometheus-7d99cfd4fb-hn767             2/2     Running       0          73d

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure [ ] Docs [ x ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane

Expected behavior

Steps to reproduce the bug

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)

How was Istio installed?

Environment where bug was observed (cloud vendor, OS, etc)

Additionally, please consider attaching a cluster state archive by attaching the dump file to this issue.

created time in 3 months

more